gateway/conf.d/apicast.conf

set_by_lua $user_agent 'return require("apicast.user_agent")()';
set_by_lua_block $deployment {
  local user_agent = require('apicast.user_agent')
  return string.format('%s+%s', user_agent.platform(), user_agent.deployment())
}

# TODO: enable in the future when we support SSL
# ssl_certificate_by_lua_block { require('apicast.executor').call() }
# ssl_session_fetch_by_lua_block { require('apicast.executor').call() }
# ssl_session_store_by_lua_block { require('apicast.executor').call() }

location = /___http_call {
  internal;

  set $url '';

  set $proxy_pass '';

  set $host_header '';
  set $connection_header 'close';
  set $options '';
  set $grant_type '';

  proxy_pass $proxy_pass;
  proxy_pass_request_headers off;
  proxy_pass_request_body on;
  proxy_ssl_name $host_header;
  proxy_http_version 1.1;

  proxy_set_header Host $host_header;
  proxy_set_header Connection $connection_header;
  proxy_set_header X-Real-IP  $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-3scale-User-Agent $deployment;
  proxy_set_header X-3scale-Version $version;
  proxy_set_header User-Agent $user_agent;
  proxy_set_header X-3scale-OAuth2-Grant-Type $grant_type;
  proxy_set_header 3scale-options $options;

  # Hack for having a valid openresty config and valid liquid templating
  #{% if opentracing_forward_header == nil or opentracing_forward_header == empty %}
  #   {% assign opentracing_forward_header = "uber-trace-id" %}
  #{% endif %}
  #{% if opentracing_tracer != nil or opentracing_forward_header != nil %}
  #   {% capture proxy_set_header_opentracing %}
  #{#} proxy_set_header {{opentracing_forward_header}} $http_{{ opentracing_forward_header | replace: "-","_" }};
  #   {% endcapture %}
  #   {{ proxy_set_header_opentracing | replace: "#{#}", "" }}
  #{% endif %}

  rewrite_by_lua_block {
    require('resty.http_ng.backend.ngx'):resolver()
  }
}

location @out_of_band_authrep_action {
  internal;

  proxy_pass_request_headers off;

  set_by_lua $original_request_time 'return ngx.var.request_time';

  content_by_lua_block {
    require('resty.ctx').apply()
    require('apicast.executor'):post_action()
 }

  log_by_lua_block {
    ngx.var.post_action_impact = ngx.var.request_time - ngx.var.original_request_time
    require('apicast.executor'):log()
  }
}

location @upstream {
  internal;

  rewrite_by_lua_block {
    require('resty.ctx').apply()
  }

  proxy_pass $proxy_pass;

  proxy_http_version 1.1;
  proxy_set_header X-Real-IP  $remote_addr;
  proxy_set_header Host $http_host;
  proxy_set_header X-3scale-proxy-secret-token $secret_token;
  proxy_set_header X-3scale-debug "";
  proxy_set_header Connection "";

  # This is a bit tricky. It uses liquid to set a SSL client certificate. In
  # NGINX, all this is not executed as it is commented with '#'. However, in
  # Liquid, all this will be evaluated. As a result, the following directives
  # are set optionally: proxy_ssl_certificate, proxy_ssl_certificate_key,
  # proxy_ssl_session_reuse, and proxy_ssl_password_file.

  # {% if proxy_ssl_certificate != empty and proxy_ssl_certificate_key != empty %}
  #   {% capture proxy_ssl %}
  #{#}   proxy_ssl_certificate {{ proxy_ssl_certificate }};
  #{#}   proxy_ssl_certificate_key {{ proxy_ssl_certificate_key }};
  #   {% endcapture %}
  #   {{ proxy_ssl | replace: "#{#}", "" }}
  #
  #   {% if proxy_ssl_password_file != empty %}
  #     {% capture proxy_ssl %}
  #{#}   proxy_ssl_password_file {{ proxy_ssl_password_file }};
  #     {% endcapture %}
  #   {{ proxy_ssl | replace: "#{#}", "" }}
  #   {% endif %}
  #
  #   {% if proxy_ssl_session_reuse != empty %}
  #     {% capture proxy_ssl %}
  #{#}   proxy_ssl_session_reuse {{ proxy_ssl_session_reuse }};
  #     {% endcapture %}
  #   {{ proxy_ssl | replace: "#{#}", "" }}
  #   {% endif %}
  # {% endif %}

  # these are duplicated so when request is redirected here those phases are executed
  post_action @out_of_band_authrep_action;
  body_filter_by_lua_block { require('apicast.executor'):body_filter() }
  header_filter_by_lua_block { require('apicast.executor'):header_filter() }
}

location / {
  set $cached_key '';
  set $credentials '';
  set $usage '';
  set $service_id '';
  set $proxy_pass '';
  set $secret_token '';

  set $backend_host 'backend';
  set $backend_authentication_type '';
  set $backend_authentication_value '';
  set $version '';
  set $real_url '';

  set $ctx_ref -1;

  set $post_action_impact '';
  set $original_request_id '';

  proxy_ignore_client_abort on;

  rewrite_by_lua_block {
    require('resty.ctx').stash()
    require('apicast.executor'):rewrite()
  }
  access_by_lua_block { require('apicast.executor'):access() }

  content_by_lua_block { require('apicast.executor'):content() }

  # these are duplicated so those phases are executed when no internal redirect happens
  post_action @out_of_band_authrep_action;
  body_filter_by_lua_block { require('apicast.executor'):body_filter() }
  header_filter_by_lua_block { require('apicast.executor'):header_filter() }

  include ../apicast.d/location.d/*.conf;
}

# This exposes a health check for kubernetes environments
# This is so the healtcheck on our Google HTTP load balancers works
location /_threescale/healthz {
  return 200;
  access_log off;
}